====== Cloud integracija ======

<WRAP round info>
**Ciljana skupina:** Cloud arhitekti, DevOps \\
**Fokus:** HSM integracija, upravljanje tajnama, Multi-Cloud
</WRAP>

Integracija PQ-sposobne PKI s Cloud HSM i servisima za upravljanje tajnama.

----

===== Pregled =====

<mermaid>
flowchart TB
    subgraph ONPREM["ON-PREMISES"]
        CA[CA Server]
        HSM[HSM]
    end

    subgraph AZURE["AZURE"]
        AKV[Azure Key Vault]
        AHSM[Managed HSM]
    end

    subgraph AWS["AWS"]
        ACM[AWS Certificate Manager]
        KMS[AWS KMS]
        CHSM[CloudHSM]
    end

    subgraph MULTI["MULTI-CLOUD"]
        HV[HashiCorp Vault]
    end

    CA --> AKV & ACM & HV
    HSM -.->|Backup| AHSM & CHSM
    HV --> AZURE & AWS

    style HV fill:#e8f5e9
    style AKV fill:#e3f2fd
    style ACM fill:#fff3e0
</mermaid>

----

===== Usporedba Cloud providera =====

| Značajka | Azure Key Vault | AWS KMS | HashiCorp Vault |
|----------|-----------------|---------|-----------------|
| **HSM FIPS 140-2** | Level 3 (Managed HSM) | Level 3 (CloudHSM) | Level 2 (Transit) |
| **PQ podrška** | Još ne | Još ne | Da, putem pluginova |
| **Upravljanje certifikatima** | Da, nativno | Da, ACM | Da, PKI Engine |
| **Multi-Cloud** | Ne | Ne | Da |
| **Troškovi** | Srednji | Visoki (CloudHSM) | Open Source + Enterprise |

----

===== Scenariji =====

^  Scenarij  ^  Cloud  ^  Tip HSM-a  ^
| [[.:azure-keyvault|Azure Key Vault]] | Azure | Managed HSM |
| [[.:aws-kms|AWS KMS + CloudHSM]] | AWS | CloudHSM |
| [[.:hashicorp-vault|HashiCorp Vault]] | Multi-Cloud | Transit SE |

----

===== Stablo odlučivanja =====

<mermaid>
flowchart TD
    A[Potreban Cloud HSM?] --> B{Primarni Cloud?}
    B -->|Azure| C[Azure Key Vault]
    B -->|AWS| D[AWS KMS/CloudHSM]
    B -->|Multi-Cloud| E[HashiCorp Vault]
    B -->|On-Prem + Cloud| F[Vault + Cloud integracija]

    C --> G{FIPS Level 3?}
    G -->|Da| H[Managed HSM]
    G -->|Ne| I[Standard Key Vault]

    D --> J{Budžet?}
    J -->|Visok| K[CloudHSM]
    J -->|Srednji| L[KMS]

    style E fill:#e8f5e9
    style H fill:#e3f2fd
    style K fill:#fff3e0
</mermaid>

----

===== Hibridna strategija =====

<WRAP round tip>
**Preporuka:** On-Premises Root CA + Cloud Intermediate za Cloud workloadove
</WRAP>

| Komponenta | Lokacija | Obrazloženje |
|------------|----------|--------------|
| Root CA | On-Premises (HSM) | Najviša sigurnost |
| Intermediate (Cloud) | Azure/AWS/Vault | Blizina workloadovima |
| End-Entity | Cloud | Auto-Provisioning |
| Backup | Multi-Cloud | Disaster Recovery |

----

===== Povezana dokumentacija =====

  * [[..:automatisierung:cert-manager-k8s|Kubernetes Cert-Manager]] - K8s integracija
  * [[..:disaster-recovery:ca-backup-restore|CA Backup]] - Cross-Cloud Backup
  * [[hr:int:pqcrypt:administrator:konfiguration|Konfiguracija]] - OpenSSL Setup

----

<< [[..:start|<- Operatorski scenariji]] | [[.:azure-keyvault|-> Azure Key Vault]] >>

----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional//

{{tag>cloud azure aws vault hsm operator}}